security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-11-05 17:14:33 +00:00
parent ac176d6536
commit 1663bf7d52
7 changed files with 211 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1531/T1531.md
+65
View File
@@ -0,0 +1,65 @@
# T1531 - Account Access Removal
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1531)
<blockquote>Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Change User Password - Windows](#atomic-test-1---change-user-password---windows)
- [Atomic Test #2 - Delete User - Windows](#atomic-test-2---delete-user---windows)
<br/>
## Atomic Test #1 - Change User Password - Windows
Changes the user password to hinder access attempts. Seen in use by LockerGoga.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_account | User account whose password will be changed. | string | Administrator|
| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
net.exe user #{user_account} #{new_password}
```
#### Commands to Check Prerequisites:
```
net.exe user #{user_account}
```
<br/>
<br/>
## Atomic Test #2 - Delete User - Windows
Deletes a user account to prevent access.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_account | User account to be deleted. | string | AtomicUser|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
net.exe user #{user_account} /delete
```
#### Commands to Check Prerequisites:
```
net.exe user #{user_account} /add
net.exe user #{user_account} P@$$w0rd
```
<br/>